On Mon, 4 Aug 2008, Al Viro wrote:

quoted text
> On Mon, Aug 04, 2008 at 09:00:58PM +0100, Al Viro wrote:
>> On Mon, Aug 04, 2008 at 09:41:10PM +0200, Krzysztof Oledzki wrote:
>>
>>>> BTW: It also happens when I revert my patch:
>>>>
>>>> sysctl -a|grep net.netfilter
>>>>
>>>> net.netfilter.nf_conntrack_generic_timeout =3D 600
>>>> net.netfilter.nf_conntrack_generic_timeout =3D 600
>>>
>>> And the winner is... 9043476f726802f4b00c96d0c4f418dde48d1304:
>>>
>>> [PATCH] sanitize proc_sysctl
>>
>> Almost definitely problems with registration order ;-/  I'll look into
>> that once I get a bit of sleep...
>
> ... and registration order it is.  Try adding
> =09static struct ctl_table empty[1];
> =09register_sysctl_paths(nf_net_netfilter_sysctl_path, empty);
> in netfilter_init() and see if that solves the problem.

Solves partially: no more WARNING, however entries are still=20
missing & duplicated:

# sysctl -a 2>/dev/null|grep net.netfilter
net.netfilter.nf_conntrack_generic_timeout =3D 600
net.netfilter.nf_conntrack_acct =3D 1
net.netfilter.nf_conntrack_generic_timeout =3D 600
net.netfilter.nf_conntrack_acct =3D 1

Plus, without nf_conntrack module loaded I get empty=20
/proc/sys/net/netfilter/, but this is probably expected.

--- a/net/netfilter/core.c     2008-07-13 23:51:29.000000000 +0200
+++ b/net/netfilter/core.c     2008-08-04 22:56:42.000000000 +0200
@@ -26,6 +26,10 @@

  static DEFINE_MUTEX(afinfo_mutex);

+#ifdef CONFIG_SYSCTL
+       static struct ctl_table empty[1];
+#endif
+
  const struct nf_afinfo *nf_afinfo[NPROTO] __read_mostly;
  EXPORT_SYMBOL(nf_afinfo);

@@ -275,6 +279,10 @@
                 panic("cannot create netfilter proc entry");
  #endif

+#ifdef CONFIG_SYSCTL
+       register_sysctl_paths(nf_net_netfilter_sysctl_path, empty);
+#endif
+
         if (netfilter_queue_init() < 0)
                 panic("cannot initialize nf_queue");
         if (netfilter_log_init() < 0)


Best regards,

 =09=09=09=09Krzysztof Ol=EAdzki